OpenSSL 是一个免费开源的库,它提供了构建数字证书的命令行工具,其中一些可以用来自建 Root CA。
1 安装openssl
1
| sudo yum install openssl openssl-libs
|
2 自建Root CA
首先找到一个放置证书的文件夹,比如 ~/ca 下,下方的测试也在改目录下,如果你要更换其他目录,记得替换下文中的目录地址
2.1 设定文件架构,并配置openssl设置
创建目录
1
2
3
4
5
6
| mkdir -p ~/ca/{certs,crl,newcerts,private}
cd ~/ca
chmod 700 private
touch index.txt
echo 1000 > serial
cp /etc/pki/tls/openssl.cnf ./
|
修改openssl.cnf配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| # 更改openssl.cnf的以下参数
[ CA_default ]
dir = /home/cc/ca
certs = $dir/certs
certificate = $dir/certs/cacert.pem
crl = $dir/crl/cacrl.pem
private_key = $dir/private/cakey.pem
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
serial = $dir/serial
crlnumber = $dir/crlnumber
# 在openssl.cnf的末尾添加以下配置
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
2.2 创建Root CA Key
1
2
3
4
| # 注意,此处提供了-aes256参数用来加密密钥,所以必须输入密码
cd ~/ca
openssl genrsa -aes256 -out private/cakey.pem 4096
chmod 400 private/cakey.pem
|
2.3 创建Root CA cert
1
2
3
4
| cd ~/ca
# 需要输入root CA key的密码
openssl req -config openssl.cnf -key private/cakey.pem -new -x509 -days 14500 -sha256 -extensions v3_ca -out certs/cacert.pem
chmod 444 certs/cacert.pem
|
以上命令需要提供CA Key的密码,就是刚刚创建CA key的密码,还需要提供Country Name(C)、State(ST)、Locality(L)、Organization(O)、Organizational Unit(OU)、Common Name(CN)、电子邮件地址(emailAddress ),注意:Common Name不可以重复,例:
1
2
3
4
5
6
7
| Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:Net Cc
Organizational Unit Name (eg, section) []:Net Cc Certificate Authority
Common Name (eg, your name or your server's hostname) []:Net Cc Root CA
Email Address []:
|
2.4 验证证书
3.1 设定文件架构,并配置openssl设置
创建目录
1
2
3
4
5
6
7
| mkdir -p intermediate/{certs,crl,newcerts,private,csr}
cd ~/ca/intermediate
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber
cp ../openssl.cnf ./
|
修改openssl.cnf配置
1
2
3
4
5
| # 更改openssl.cnf的以下配置
[ CA_default ]
dir = /home/cc/ca/intermediate
[ policy_match ]
organizationName = supplied
|
1
2
3
4
| cd ~/ca/intermediate
# 注意,此处提供了-aes256参数用来加密密钥,所以必须输入密码,等会生成CA证书和签名的时候需要用到这个密码
openssl genrsa -aes256 -out private/cakey.pem 4096
chmod 400 private/cakey.pem
|
1
2
3
| cd ~/ca/intermediate
# 需要输入intermediate CA key的密码
openssl req -config openssl.cnf -new -sha256 -key private/cakey.pem -out csr/ca.csr
|
以上命令需要提供Intermediate CA Key的密码和一些名字,注意:Common Name不可以重复,例:
1
2
3
4
5
6
7
| Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:Net Cc
Organizational Unit Name (eg, section) []:Net Cc Certificate Authority
Common Name (eg, your name or your server's hostname) []:Net Cc Intermediate CA
Email Address []:
|
3.4 使用root ca进行签名
1
2
3
4
| cd ~/ca
# 使用root CA的openssl.cnf文件,需要输入root CA 密钥的密码
openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 7300 -notext -md sha256 -in intermediate/csr/ca.csr -out intermediate/certs/cacert.pem
chmod 444 intermediate/certs/cacert.pem
|
3.5 验证
1
2
3
| cd ~/ca/intermediate
openssl x509 -noout -text -in certs/cacert.pem
openssl verify -CAfile ../certs/cacert.pem certs/cacert.pem
|
1
2
3
4
| cd ~/ca/intermediate
cat ../certs/cacert.pem certs/cacert.pem > certs/ca-chaincert.pem
# 验证证书链
openssl verify -CAfile certs/ca-chaincert.pem certs/cacert.pem
|
4 创建带有SAN扩展的证书
4.1 创建san.cnf配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
| [ req_san ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth
subjectAltName = @alt_names # SAN调用了alt_names所以我们下边要添加一个alt_names
# SAN地址设置,DNS是域名,ip是IP地址
[ alt_names ]
DNS.1 = net-cc.com
DNS.2 = *.net-cc.com
DNS.3 = localhost
IP.1 = 127.0.0.1
|
4.2 创建server/client Key
1
2
3
4
| cd ~/ca/intermediate/
# 此处我们没有添加加密密码,如果有加密的话,服务器可能无法解密使用key验证。。
openssl genrsa -out private/net-cc.com.key.pem 2048
chmod 400 private/net-cc.com.key.pem
|
4.3 创建证书请求文件CSR
1
2
| cd ~/ca/intermediate/
openssl req -config openssl.cnf -key private/net-cc.com.key.pem -new -sha256 -out csr/net-cc.com.csr
|
需要提供Country Name(C)、State(ST)、Locality(L)、Organization(O)、Organizational Unit(OU)、Common Name(CN)、电子邮件地址(emailAddress ),注意:Common Name不可以重复,例:
1
2
3
4
5
6
7
| Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:net-cc.com
Organizational Unit Name (eg, section) []:www.net-cc.com
Common Name (eg, your name or your server's hostname) []:net-cc.com
Email Address []:
|
1
2
3
| cd ~/ca/intermediate/
openssl ca -config openssl.cnf -extfile san.cnf -extensions req_san -days 3650 -notext -md sha256 -in csr/net-cc.com.csr -out certs/net-cc.com.cert.pem
chmod 444 certs/net-cc.com.cert.pem
|
4.5 验证
1
2
| openssl verify -CAfile certs/ca-chaincert.pem certs/net-cc.com.cert.pem
openssl x509 -noout -text -in certs/net-cc.com.cert.pem
|
4.6 Server/Client的证书密钥文件位置
- key:
~/ca/intermediate/private/net-cc.com.key.pem
- cert:
~/ca/intermediate/certs/net-cc.com.cert.pem
- CA Cert:
~/ca/intermediate/certs/ca-chaincert.pem